DSC vs. GPO vs. SCCM vs. MDM

Microsoft Windows administrators now have a number of ways for managing their estates.

  • Group Policy (GPO)
    Allows very fine-grained control over every aspect of Windows. Primarily aimed at Windows desktops. Requires Active Directory (AD) and very careful configuration. Requires well trained specialist staff to get it right.
  • System Center Configuration Manager (SCCM)
    Allows central control over software delivery. Also requires AD. Configuration of delivery packages can be complex and very careful change control is required. Software delivery via SCCM can also be intrusive to users. Requires well trained specialist staff to get it right.
  • Desired State Configuration (DSC)
    Though extended by Microsoft this is actually part of a wider open standard “Open Management Infrastructure” and so applies to other platforms as well including Linux. Mainly aimed at server configurations. Falls into the DevOps camp as it defines server configurations in purely text format and so can be put under source control easily. DSC is typically dynamic and enforces the correct configuration (normally every 15 minutes) which greatly helps ensure secure configurations.
  • Mobile Device Management (MDM)
    Primarily aimed at mobile devices, this style of configuration is increasingly applicable to Windows Desktops with the advent of Windows 10. Microsoft InTune is leading the way with other MDM vendors following on. Not everything on the desktop can yet be controlled this way, even with W10 but many key settings and controls are already available. A much simpler method for enforcing desktop settings than the other methods, it allows fewer administrators and much less specialist knowledge.

The article from FoxDeploy covers the first three of those and lays out the purpose of each. Well worth a read.

What is missing is the 4th method which uses Mobile Device Management tooling. The leading contender for this is Microsoft InTune. However, InTune is really only focussed on Windows 10 (desktop and mobile), it has limited control in other Operating Systems.

Servers only ever exist in a given state. If they deviate or we make changes, we refactor and redeploy. DSC drives it all and the machine will be up and running on a new OS, with data migrated in a matter of minutes.

For all practical purposes, the first true large scale management tool we had for Windows systems in the modern era was Group Policy, or GPO as it is commonly truncated.

Comparatively, SCCM and MDT allow us to we import an image from a Windows install disk and then run dozens of individual steps which are customized based on the target machines platform, model, office location and other factors. The sky is the limit.

Curated from DSC vs. GPO vs. SCCM, the case for each. – FoxDeploy.com

Site updated – Faster and better!

The upgrade of this blog from WordPress 3.3 to 3.4 on Dreamhost didn’t go as smoothly as planned. In fact it failed fairly spectacularly – unable to complete the required database upgrade.

However, many clouds have silver linings. In this case it meant that I brought forward my plans to ditch the horribly slow hosting provided by Dreamhost in the USA and switch over to the new VPS provided by BHost in the UK.

If you have had the chance to compare the two sites, you’ll know that it now runs a lot faster. It will improve again when I do some tweaking. I can now use a proper opcode cache for PHP, something that Dreamhost wasn’t able to provide.

I’ll be doing further optimisations now that I have full control, I should be able to do away with a whole load of WordPress plugins.

Speeding up Cygwin

Yesterday I mentioned my success with Cygwin.

One issue I did have though was with the speed of startup. It was taking 15-20 seconds to start a BASH shell.

It turns out that this was a PATH issue. I went through my Windows PATH and cleared out the clutter. Now it takes just around 3-4 seconds for a full BASH login and less still for just running a script.

I now find myself using the BASH shell for all sorts of things and I’ve set up a number of alias’s to switch to folders I’m using a lot and to open common documents.

One handy function I’ve added to .bashrc (so it is always available) works out the current working version of a document. It assumes that you keep copies that have a version number or date in the file name that will sort correctly.

You can find the code on my development blog.

Here are a few more alias’s I use:

alias np='cygstart "/cygdrive/c/Program Files/Notepad++/notepad++.exe"'
alias c='cd /cygdrive/c/'
alias d='cd /cygdrive/d/'
alias work='cd "$HOME/Documents/Workdocs/"'
alias pers='cd "$HOME/Documents/Persdocs/"'
alias facebook='http://www.facebook.com'

How-to show a Message of the Day (MOTD) at the Windows Command Prompt

One of the features available under UNIX is the Message of the Day (MOTD). This is run every time you start a command prompt and displays the content of a file. In addition, the UNIX shells allow all sorts of stuff to be run and configured every time you start a new prompt using the .profile and .bashrc command files.

Windows users don’t generally expect that kind of flexibility from their command prompts. However, Windows does indeed support the use of an “autorun” into which you can shoe-horn any command you like.

So for my standard setup, I make the shell autorun run a “.profile.cmd” file that sits in the %USERPROFILE% folder. From that file, I can run anthing I like.

To set up a shell autorun, you have to edit the registry so the usual warnings to be careful and back things up apply. There are two locations you can set, one for the machine as a whole and one for the logged-in user.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Command Processor

If you want to set an autorun for another user, you need to go down HKEY_USERS and find the appropriate one, it’s really easier just to log in!

In one or both of those locations, add a new “String Value” (REG_SZ) called “AutoRun” with the value:

%USERPROFILE%\.profile.cmd

Now create that file and put in a message such as:

@echo "Hello and welcome to my command prompt"

Save the file and open a new shell and you should see the message just after the Microsoft copyright.

This should work on all versions of Windows at least from XP onwards.

If you want to add this to a batch file to set up new machines, here is the command you need:

reg.exe ADD "HKLM\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d ^%USERPROFILE^%\.profile.cmd /f

(Note that the above needs to go on a single line)


Technorati : , , , , ,
Diigo Tag Search : , , , , ,

Keeping Control: File and Folder Links for Windows Users

A good backup strategy for any computer involves keeping control of where stuff is stored. The fewer locations that contain files that change, the fewer locations have to be maintained.

UNIX users have always had the ability to keep things wherever they wanted and then to LINK that information into the required location. Basically, links create a link or tunnel between one file or folder and another. Most of the time, you will not notice that you’ve entered a tunnel and you are not interested really.

Windows users, however, have always been the poor cousins here. Stuck as we were in FATland, we had no access to fancy features such as links. So Microsoft in their inimitable fashion created a poor-man’s link – the Windows Shell Shortcut – so that the Windows GUI had some minimal capability (really only for menu’s and Windows Explorer).

Windows 2000 improved on this by introducing “Reparse Points” one form of which is the “Junction“. This is an extension to NTFS that allows folders to be joined (linked) to another location in the local volume space. Making junctions is not an obvious process, you can do it from the disk manager and there is a tool in the Windows 2000 server resource kit called linkd. The POSIX tools included in the resource kit contain the UNIX command ln which can also create junction points and hard links; fsutil in XP can also. There are some third party tools too.

It’s odd because I seem to remember that OS/2 had some kind of linking feature.

Anyway, links of the UNIX type are a massively useful feature that has finally (with Vista, Windows 2008 and beyond) made it fully to NTFS and Windows.

Vista, Windows 2008 and Windows 7 all have a command line tool called mklink. This can be used like the Unix ln command to create both hard links (which must be on the same volume) and soft links. Soft links under Windows can, in fact, span across SMB network drives as well.

You might also like to look at another free tool called “Link Shell Extension” by Hermann Schinagl. This integrates into Windows Explorer, the web site also has a more complete explanation of the history of links in Windows. LSE does a number of clever things and is well worth a look. Hermann also has a “dupmerge” tool on his web site that will replace duplicated files with hard links.

So now, if we want to tweak the HOSTS file for example (c:\windows\system32\drivers\etc\hosts), we don’t need to leave in place since that would mean that we would need an extra backup routine. Instead, copy it to somewhere that already gets backed up. Delete the original file and then from the command line:

mklink c:\windows\system32\drivers\etc\hosts %USERPROFILE%\BACKUPS\hosts

Now you can edit the hosts file from either location, there is only one file (in %USERPROFILE%\BACKUPS). The difference being that even if you delete the file from its normal location, it will still exist in the “real” location. If you delete it from its “real” place in BACKUPS of course, the link will be broken and wont work.

To link a complete folder, it is the same command with a /D parameter added. For example, I keep a folder of command line utilities such as ls, ssh and rsync in a folder on a USB pen drive. I sync that folder to the BACKUPS location on my hard drive for convenience but I need the folder in my PATH otherwise its hard to execute the utilities. I don’t want a really long path, it’s bad enough already, so I link the folder to c:\cmd with the following:

mklink /D c:\cmd %USERPROFILE%\BACKUPS\PEN\cmd

Now I add c:\cmd to the path and the utilities seem to be in both places.

I’ve said in other posts that I like to reinstall Windows now and again but it can be a pain to restore all of the document files. Similarly, if you keep multiple operating systems on your hard drive, how do you keep your documents sorted? One way is to put all documents, videos, music, etc. onto a separate partition. Now, instead of going mad with the Windows registry trying to relocate your normal documents folders to another drive. Simply delete the normal documents folder – %USERPROFILE%\Documents\ under Windows 7 and relink it to the appropriate folder on the other drive as so:

mklink /D %USERPROFILE%\Documents d:\Docs

Put this in a script that you run when you reinstall Windows and its easy and quick.

One final note. You may find a few pieces of software that cannot cope with links. Certainly Subversion cannot though Bazaar can. Windows Explorer seems OK though as do utilities such as RSYNC.


Technorati : , , , , , ,
Diigo Tag Search : , , , , , ,

Copy and Paste to OneNote (AutoHotKey script)

After yesterdays OneNote tool, I thought I’d do another while I think about it.

Another annoyance of OneNote is it’s lack of control over pasting information from the clipboard. I’ve raised a suggestion with MS to improve this; you can see my comment in the newsgroup.

To ease things a little if you need to copy and paste lots of stuff to OneNote, here is an AutoHotKey script to help. You need to assign this to a hot-key and have OneNote open in the background. Select something and press the hot-key and it will be pasted (using the current default paste option as this cannot be controlled) into the current note in OneNote.

; AutoHotKey Script to copy pre-selected stuff from the currently active window
; to the currently open note in OneNote
;
; Usage: #include in your main AutoHotKey.ahk assigned to a hot key
; Limitations: 
;       1) OneNote must be open - maybe change this in the future so that content goes to a new unfiled note
;       2) Doesn't swap back to original application
;
; Author: Julian Knight, http://www.knightnet.org.uk/contact.htm
; Version: 2009-04-01 v1.0

; We need a partial title match but we will also reset to previous setting
oldTitleMatchMode := A_TitleMatchMode
SetTitleMatchMode, 2

; Settings
winTitlePart := " - Microsoft Office OneNote"   ; Partial title of ON windows

; Copy currently selected stuff
SendPlay, ^c                    ; Use sendplay to avoid unexpected interactions with Win key

; If OneNote is not started, give up
IfWinExist, %winTitlePart%
{
        ; Save the currently active window title
        WinGetTitle, actWin, A
        
        ; If OneNote is not active, activate it now
        IfWinNotActive, %winTitlePart%
                WinActivate, %winTitlePart%

        ; Check again, if ON active then paste else error
        IfWinActive, %winTitlePart%     
        {
                ; Paste to ON & Add some blank lines
                SendPlay, ^v`r                  ; Use sendplay to avoid unexpected interactions with Win key
                ; Switch window back to previously active
                WinActivate, %actWin%
        }
        else
                MsgBox, Could not activate OneNote window.
                
} else
        MsgBox, Can't find ON [%winTitlePart%]

SetTitleMatchMode, %oldTitleMatchMode%
return


Technorati : , , , , , ,
Diigo Tag Search : , , , , , ,

Setting list item gaps in Microsoft OneNote (AutoHotKey script)

Although I like Microsoft OneNote and use it continuously, it does have a few failings. One of these is the inability to set the default styles and layout for text.

In particular, when you create a new paragraph or list entry in OneNote, the default – non-changeable – setting is to have no white space between the paragraphs.

This is very poor design and makes more than a small amount of text quite unreadable. I’ve raised this with Microsoft but who knows if or when it might be sorted.

In the mean time, I need a far quicker way of changing this. Currently, I’ve had to:

  1. Select the container with the text I want to format
  2. Use the menu to show the List Task Pane ([alt]o/L)
  3. Mouse click on the text box to change (you cannot tab into it)
  4. Change the 0.00 pt default to something like the 6.00 pt that I prefer
  5. Close the List Task Pane

Not nice!

Having determined that there is nothing clever that can be done in OneNote, I decided that the old standy “AutoHotKey” would be useful. So I’ve created a script for AutoHotKey that will change the inter-list gap for the currently selected container.

; [win]-z Set OneNote list to 6pt separation
#z::
; We need a partial title match but we will also reset to previous setting
oldTitleMatchMode := A_TitleMatchMode
SetTitleMatchMode, 2

debug            := 1                                                           ; Set to 1 to output debug messages, or 0
winTitlePart := " - Microsoft Office OneNote"   ; Partial title of ON windows
winText          := "List"                                                      ; Text to identify List Task Pane - Visible Window Text: MsoDockRight, Task Pane, List
listDefault      := "0.00 pt"                                           ; The default setting for list separation between items
listNew          := "6.00 pt"                                           ; My desired spacing between list items

; Only do something if ON is the active window
IfWinActive, %winTitlePart%
{
        ; We need the List Task Pane to be visible
        IfWinNotExist, %winTitlePart%, %winText%
        {
                ;IfEqual, debug, 1, MsgBox List not active
                ; Send chars to activate menu, can't use WinMenuSelectItem with Office apps
                ;   SendPlay is used to prevent the Windows key locking the PC (Win+L)
                SendPlay, !oL
        }
        ; List Task Pane should now be visible, save the existing setting
        ControlGetText, Var1 , RichEdit20W2, %winTitlePart%, %winText%
        ; If the current setting is the default setting then make the change
        if Var1 = %listDefault%
        {
                ; Focus on the input box & set the text
                ControlFocus, RichEdit20W2, %winTitlePart%, %winText%
                ControlSetText, RichEdit20W2, %listNew%, %winTitlePart%, %winText%
                ; This is optional to check if we were successful
                ControlGetText, Var2 , RichEdit20W2, %winTitlePart%, %winText%
                if ErrorLevel   ; i.e. it's not blank or zero then error
                        MsgBox, %Var1% - %Var2% - Problem - %ErrorLevel%.
                else
                        IfEqual, debug, 1, MsgBox, OK - %Var1% - %Var2%.
        }
        ; Close the List Task Pane (actually it closes the Task Pane, period, sorry)
        SendPlay, ^{F1}
}
else    ; ON not active so do nothing
        IfEqual, debug, 1, MsgBox, OneNote not active

SetTitleMatchMode, %oldTitleMatchMode%
return

OK, so it’s a bit rough-and-ready but it does save a whole lot of time. I’ve got this in my default AHK script so it is loaded whenever I log in and is activated with [win]z.


Technorati : , , , , , ,
Diigo Tag Search : , , , , , ,

Changing system environment variables from the Windows command line

There are several ways to change global or user environment variables manually in Windows. Most are well known so I wont repeat them here (e.g. in Vista or Windows 7, Control Panel/User Accounts, Change my environment variables).

However, sometimes you want to do this from a command (aka script or batch) file. This is not as straightforwards as it might seem. That’s because if you simply set the variable – e.g. set FRED=JimBob – it is only set while you are in that command file. Once the script has finished, the variable will no longer be set.

There are a number of examples of setting system or user environment variables available if you do a Google search but most of them are incomplete – they do not immediately make the new value available to all applications (and particularly to new command shells).

To make sure that the new value is available system-wide, you have to tell Windows to refresh the environment variable list and the easiest way to ensure this happens is to change the variable from a Windows Scripting Host (WSH) script.

Here is an example script to do this. Save this file as something like set-env.vbs somewhere convenient.

'Set/Change/Delete An Environment Variable 
'  In this simple script, we mainly assume that the variable space is USER.
'  The variable is not only changed for the calling script, it also forces a system-wide
'    refresh of the lists so the created/updated/deleted variable is immediately available
'    to all applications.
'
'Syntax:
'  With 3 arguments
'    Creates or changes the named variable in the in the given environment variable list
'    set-env.vbs <variable type> <variable name> <assigned value>
'
'  With 2 arguments - Assumes the variable type is USER
'    Creates or changes the named variable in the current USER's environment variable list
'    set-env.vbs <variable name> <assigned value>
'
'  With 1 argument - Assumes the variable type is USER
'    Deletes the named variable from the current USER's environment variable list
'    set-env.vbs <variable name>
'
'  With no arguments
'    No action taken
'
'Where:
'  <variable type> is one of
'    "System" (HKLM),
'    "User"   (HKCU),
'    "Volatile" or "Process"
'
'Author:
'  Julian Knight, http://www.knightnet.org.uk/contact.htm
'
'License:
'  Permission is given to reuse this code in any way desired
'  No support is given or implied for this code
'

Set WSHShell = WScript.CreateObject("WScript.Shell")

' Get arguments
Set oArgs=WScript.arguments

WScript.Echo
Select Case oArgs.Count
        case 3
                ' If we have 3 arguments, assume <type> <name> <value> and create/change
                WSHShell.Environment(oArgs.item(0)).item(oArgs.item(1)) = oArgs.item(2)
                WScript.Echo "Created or Changed Environment Variable: " & oArgs.item(0) & ", " & oArgs.item(1) & ", " & oArgs.item(2)
        case 2
                ' If we have 2 arguments, assume <name> <value> and create/change in USER space
                WSHShell.Environment("USER").item(oArgs.item(0)) = oArgs.item(1)
                WScript.echo "Created or Changed Environment Variable: USER, " & oArgs.item(0) & ", " & oArgs.item(1)
        case 1
                ' If we have 1 arg, assume <name> and delete in USER space
                WSHShell.Environment("USER").Remove(oArgs.item(0)) 
                WScript.echo "Deleted Environment Variable: USER, " & oArgs.item(0)
        case Else
                ' Otherwise do nothing
                WScript.echo "No action"
End select
WScript.Echo

Note that in Vista or above, you will need to run the command file with elevated privileges for this to work. The normal command prompt gets this automatically but if you want to run the file from Windows Explorer, you will need to create a shortcut and change the settings.

You can now use this in your batch command scripts, for example:

@echo.
@REM change http_proxy variable for current user (forces change & refreshes system so new setting is immediately available to everything)
@cscript.exe //nologo C:\set-env.vbs http_proxy http://localhost:3128
@echo.

@choice /T 5 /D y /N /M "Switch complete, now using local proxy"
@echo.


Technorati : , , , ,
Diigo Tag Search : , , , ,

proxy.pac files, Mozilla (Firefox & Thunderbird) and Vista or Windows 7

I’ve found a problem with Mozilla based products and proxy settings.

To automatically configure a proxy for use by Internet browsers, you can use a file called “proxy.pac“. This is a JavaScript function that is loaded into the browser when it starts and redirects requests via a proxy where required.

All of the descriptions for this file you will find on the Internet will provide the following example of checking your current IP address. This is used for laptops where the IP address will change depending on where you are. You can check when the laptop is on the corporate network and redirect requests via the corporate proxy as needed:

if ( isInNet(myIpAddress(), "10.10.10.0", "255.255.255.0") ) {
  alert("Corporate address &amp; proxy");
  return "PROXY 10.10.10.240";
 }

Well, this does not work for Mozilla based applications (for example Firefox and Thunderbird) if you are using Microsoft Vista or Windows 7.

That is because, under those operating systems, the internal function myIpAddress() does not return an IPv4 address as expected (e.g. 10.10.10.5) but an IPv6 address instead (e.g something longer with lots of “:”).

In order to make your proxy.pac file work with both IE and Mozilla, use something like:

if (isInNet(myIpAddress(), "10.97.100.0", "255.255.255.0") ||
            shExpMatch(myIpAddress(), "fe80::b892:6a74:9635:*") ) {
  alert("Corporate address &amp; proxy");
  return "PROXY 10.61.9.200:8080; DIRECT;";
 }

You can discover your IPv6 address in several ways but the trusty command line “ipconfig /all” shows you everything you need.

See also this discussion on the Mozilla support forums: proxy.pac myIpAddress() returns incorrect format?


Del.icio.us : , , ,
Technorati : , , ,
Diigo Tag Search : , , ,

Font sizes and DPI

This seems to be a problem that won’t go away. It seems inordinately hard to get a good looking set of fonts of the correct size. It is not that there aren’t some nice fonts available; there are, at last, some fonts under Linux that often look superior to the Microsoft ones. It’s just that it is difficult to get the whole look and feel correct.
This is especially true when mixing Gnome based applications (Firefox and Thunderbird for example) and KDE. OpenOffice also refuses to play nicely.
Anyway, grumping over, there is an excellent article on the Mozilla site about how to improve some of this by getting the correct DPI settings for your monitor (this is especially noticeable on my 24″ beast!)
The article is here.